[VIM] Missed PHP file include in recent Calendarix
Steven M. Christey
coley at mitre.org
Mon Jun 6 23:51:35 EDT 2005
BUGTRAQ:20050531 multiple vulnerability Calendarix Advanced
Multiple VDBs seem to have missed the following portion of the post:
I downloaded the demo version of Calendarix, and there are only 2
previous PHP statements before this line - both include statements,
neither of which seems to define $calpath, which is defined in
cal_config.php. cal_admintop.php itself is included a number of times
in other files.
Thus it appears to be a typical file include issue where an include
file depends on variables defined by previously included files, but is
directly callable assuming the relevant PHP configuration
etc. etc. etc.
Also, at least two of the SQL injection issues in the "catview"
parameter seem to lead to the same eventqry function as defined in
cal_day.php line 112:
$result = eventqry($vda,$vdm,$year,$uname,$order,true,$catview) ;
cal_week.php line 193:
$result = eventqry($fdd,$fdm,$fdy,$uname,$order,true,$catview) ;
cal_cat.php lines 34 through 39 have their own vulnerable select
$query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview";
$query = "select cat_id,cat_name,cat_color,parent_id from ".$CAT_TB." where cat_id=$catview or parent_id=$catview";
This was based solely on source code inspection of the demo version of
I'll be sending an inquiry to the developer shortly.
More information about the VIM